- Veeam released a patch for a 9.9/10 severity flaw that can lead to RCE
- It was found in Veeam Backup & Restoration
- The bug only works on installations joined to a domain
Veeam released a patch for a critical-level vulnerability recently discovered in its Backup & Replication software.
The vulnerability, tracked as CVE-2025-23120, is described as a deserialization flaw that allows authenticated domain users to conduct remote code execution (RCE) attacks. It was given a severity score of 9.9/10 (critical), and affects Veeam Backup & Replication 12.3.0.310 and all earlier version 12 builds.
It was fixed with version 12.3.1 (build 12.3.1.1139).
Blacklists and whitelists
The bug was discovered by cybersecurity researchers watchTowr Labs, who slammed Veeam for the way it addresses deserialization problems:
“It seems Veeam, despite being a ransomware gang’s favorite play toy – didn’t learn after the lesson given by Frycos in previous research published. You guessed it – they fixed the deserialization issues by adding entries to their deserialization blacklist,” the researchers explained.
Adding entries to a deserialization blacklist doesn’t work because hackers can always find new avenues, and the developers will always end up being reactive to their behavior, watchTowr explained. Instead, it suggests Veeam should opt for a whitelist approach.
Despite its critical severity, the bug is not that simple to explicit since it only impacts Veeam Backup & Replication installations joined to a domain.
On the downside, any domain user can exploit the bug. BleepingComputer claims that “many companies” joined their Veeam server to a Windows domain, “ignoring the company’s long-standing best practices.”
The same publication claims that ransomware gangs already told them they always target Veeam Backup & Replication servers, since they are an easy way into archives of sensitive information, and allow them to block any restoration and backup efforts.
At press time, there were no reports of in-the-wild abuse, but it is safe to assume that there will be, and soon – now that the cat is out of the bag.
If your company is using Veeam’s Backup & Replication, make sure to upgrade it to version 12.3.1 as soon as you can.
Via BleepingComputer
Leave a comment